Blog

I never touch Cardholder Data. So PCI DSS does not apply to me - Right?

Payment cards have been around a long time, and nefarious schemes to take advantage of them have been around almost as long. Since most people do not read the legal agreements they sign up to, they are unaware of their real responsibilities towards protecting the cardholder data to prevent those nefarious schemes. Responsibility for Payment Card Industry Data Security Standard (PCI DSS) compliance starts with the card brands and cascades down, by contract, through their direct customers (including the card issuers) to the merchants and on to their service providers. So if you are a merchant, you are still responsible even if you think service provider(s) handle “everything” for you.

PCI defines something called the Cardholder Data Environment (CDE), which comprises the people, processes and technology that store, process, or transmit cardholder data (CHD). When you first start taking cards as payment whether by swiping or submission through a website, you need to know what your CDE is and monitor its compliance.

From the way your customer is channeled to the payment processor (be it an IFRAME, redirect, or direct post), to the processing and storage of the data that may pass through system(s) that you have some kind of influence on or control over, it's your job to understand and oversee every channel that you may be involved with.  

What if your involvement is purely a business one with no technical engagement at all? Perhaps you just tell your customers to pay you in a certain way. Well, responsibility still always comes back to you if you are the merchant.

Though compliance is a never ending obligation, validating that you are compliant happens every year. The simplest form of compliance validation is known as a Self Assessment Questionnaire (SAQ) which, as it implies, you can do yourself. However if you didn’t read the original agreement, or you haven’t read the Data Security Standard, you probably won’t understand the implications of what you’re attesting to in the SAQ without professional assistance.

There are many different SAQ’s, and which one you should use depends on how you handle (or not handle) cardholder data. The eligibility criteria for these SAQs are many and varied. The simplest is an SAQ-A. This SAQ is intended for merchants who fully outsource all cardholder data handling. There are 6 criteria you must meet to be eligible to use this smaller form:

  1. Only card not present transactions
  2. All processing goes to service providers
  3. Your company does not store, process, or transmit CHD on your networks
  4. Your service providers have their own Attestations of Compliance
  5. All elements of the payment page originate only from the service provider’s systems
  6. You retain only paper copies of any CHD, which you do not receive electronically.

If you meet all of these eligibility criteria, then you are able to use this SAQ-A, which then proceeds to ask you to address just 24 out of the 1114 questions that a full validation would require. These 24 questions are drawn from only 5 of the 12 domains covered in PCI DSS.

2 - Change all default access credentials

6 - Develop secure systems

8 - Identify and authenticate access to sensitive data

9 - Physical protections

12 - Maintain a policy that addresses compliance for all staff. 

A slightly different form of the SAQ, known as the SAQ-EP for e-commerce merchants only, has eight (8) eligibility criteria. This is intended for merchants who first capture the cardholder data using their website, but then make an electronic POST of that data to their processor.

  1. e-commerce transactions only
  2. All processing except the payment page is performed by a validated outsourcer
  3. Merchant’s e-commerce website does not receive data, but controls how the consumer is directed to the outsourcer
  4. If the website is hosted by a third-party, they must be validated to adhere to all PCI DSS requirements
  5. All elements of the payment page originate only from the service provider’s systems
  6. Your company does not store, process, or transmit CHD on your networks
  7. All third-party providers are themselves PCI DSS compliant
  8. You retain only paper copies of any CHD, which you do not receive electronically.

However, the SAQ-EP exposes the merchant to all 12 requirements of the PCI DSS and 93 of the 1114 questions that a full PCI Report on Compliance would cover. 

In both cases the supplier of the code for the origin server (the one that actually creates the payment page or redirects the user to it) must be PCI DSS compliant (have their own Attestation of Compliance, which must cover the services you are purchasing or relying on). 

As you can see, choosing the payment channel and processors can result in a substantially different burden while completing the SAQ.

Once the SAQ is complete, you can complete the Attestation of Compliance that goes with it. This contains checkboxes for the eligibility criteria as well as check boxes for the various compliance requirements. 

You can never get rid of PCI DSS compliance if you are a merchant, you are either doing it yourself, or you are making somebody else do it. Even though some parts of the standard are potentially hidden from you as an outsourced merchant, the standard is very detailed about what to do, the rules around which requirements apply to you, and which forms to fill out are complicated and spread around many documents and FAQs. Consult with an expert such as a PCI Qualified Security Assessor (QSA), to make sure you are (a) not taking on more than you need to, and (b) meeting all your compliance obligations.

Truvantis is a PCI QSA company, ready and willing to assist you in making the best decisions to minimize your compliance burden for a new implementation, or ensure that you have adequately addressed all the PCI DSS requirements in a more mature environment.

Schedule a Call
Chat with a specialist about your specific use case for PCI DSS and handling cardholder data.
Schedule a call